ci: add GitHub Actions workflow with tests + secret scanning

benvinegar · benvinegar · commit e805a5885e2f · 2026-02-15T21:14:33.000-05:00
- Runs all 202 tests across 6 suites on push/PR
- detect-secrets scans for leaked secrets against audited baseline
- Node.js 22.x, ubuntu-latest runner
- Includes package-lock.json for npm ci
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,66 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Install slack-bridge dependencies
+        run: cd slack-bridge && npm ci
+
+      - name: Test — bridge security (71 tests)
+        run: cd slack-bridge && node --test security.test.mjs
+
+      - name: Test — tool-guard (60 tests)
+        run: cd pi/extensions && node --test tool-guard.test.mjs
+
+      - name: Test — extension scanner (15 tests)
+        run: cd bin && node --test scan-extensions.test.mjs
+
+      - name: Test — safe-bash wrapper (24 tests)
+        run: cd bin && bash hornet-safe-bash.test.sh
+
+      - name: Test — log redaction (11 tests)
+        run: cd bin && bash redact-logs.test.sh
+
+      - name: Test — security audit (21 tests)
+        run: cd bin && bash security-audit.test.sh
+
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install detect-secrets
+        run: pip install detect-secrets
+
+      - name: Check for new secrets
+        run: |
+          # Scan the repo and compare against the audited baseline.
+          # Fails if any NEW secrets are found that aren't in the baseline.
+          detect-secrets scan \
+            --baseline .secrets.baseline \
+            --exclude-files 'node_modules/.*' \
+            --exclude-files '\.git/.*' \
+            --exclude-files 'package-lock\.json'
+
+          # Verify no unaudited secrets remain
+          if detect-secrets audit --report --baseline .secrets.baseline 2>&1 | grep -q 'Unaudited'; then
+            echo "❌ Unaudited secrets found — run: detect-secrets audit .secrets.baseline"
+            exit 1
+          fi
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,147 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "node_modules/.*",
+        "\\.git/.*",
+        "package-lock\\.json",
+        ".*\\.test\\.(mjs|sh)$"
+      ]
+    }
+  ],
+  "results": {
+    "pi/extensions/zen-provider.ts": [
+      {
+        "type": "Secret Keyword",
+        "filename": "pi/extensions/zen-provider.ts",
+        "hashed_secret": "df6e0ac13c2e4889d47c4dfa0ace314e8f96eb9e",
+        "is_verified": false,
+        "line_number": 6,
+        "is_secret": false
+      }
+    ]
+  },
+  "generated_at": "2026-02-16T02:13:49Z"
+}
diff --git a/slack-bridge/package-lock.json b/slack-bridge/package-lock.json
